summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--crypto/context.c47
-rw-r--r--crypto/rand/rand_lib.c43
-rw-r--r--include/internal/cryptlib.h2
-rw-r--r--providers/fips/fipsprov.c1
-rw-r--r--providers/implementations/include/prov/implementations.h1
-rw-r--r--providers/implementations/include/prov/names.h1
-rw-r--r--providers/implementations/rands/build.info3
-rw-r--r--providers/implementations/rands/crngt.c192
-rw-r--r--providers/implementations/rands/drbg.c12
-rw-r--r--providers/implementations/rands/fips_crng_test.c434
10 files changed, 478 insertions, 258 deletions
diff --git a/crypto/context.c b/crypto/context.c
index f3d9f384fc..96216abcda 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -19,7 +19,7 @@
#include "crypto/context.h"
struct ossl_lib_ctx_st {
- CRYPTO_RWLOCK *lock, *rand_crngt_lock;
+ CRYPTO_RWLOCK *lock;
OSSL_EX_DATA_GLOBAL global;
void *property_string_data;
@@ -45,7 +45,6 @@ struct ossl_lib_ctx_st {
#if defined(OPENSSL_THREADS)
void *threads;
#endif
- void *rand_crngt;
#ifdef FIPS_MODULE
void *thread_event_handler;
void *fips_prov;
@@ -93,10 +92,6 @@ static int context_init(OSSL_LIB_CTX *ctx)
if (ctx->lock == NULL)
goto err;
- ctx->rand_crngt_lock = CRYPTO_THREAD_lock_new();
- if (ctx->rand_crngt_lock == NULL)
- goto err;
-
/* Initialize ex_data. */
if (!ossl_do_ex_data_init(ctx))
goto err;
@@ -222,7 +217,6 @@ static int context_init(OSSL_LIB_CTX *ctx)
if (exdata_done)
ossl_crypto_cleanup_all_ex_data_int(ctx);
- CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock);
CRYPTO_THREAD_lock_free(ctx->lock);
CRYPTO_THREAD_cleanup_local(&ctx->rcu_local_key);
memset(ctx, '\0', sizeof(*ctx));
@@ -328,11 +322,6 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
}
#endif
- if (ctx->rand_crngt != NULL) {
- ossl_rand_crng_ctx_free(ctx->rand_crngt);
- ctx->rand_crngt = NULL;
- }
-
#ifdef FIPS_MODULE
if (ctx->thread_event_handler != NULL) {
ossl_thread_event_ctx_free(ctx->thread_event_handler);
@@ -380,9 +369,7 @@ static int context_deinit(OSSL_LIB_CTX *ctx)
ossl_crypto_cleanup_all_ex_data_int(ctx);
- CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock);
CRYPTO_THREAD_lock_free(ctx->lock);
- ctx->rand_crngt_lock = NULL;
ctx->lock = NULL;
CRYPTO_THREAD_cleanup_local(&ctx->rcu_local_key);
return 1;
@@ -573,8 +560,6 @@ int ossl_lib_ctx_is_global_default(OSSL_LIB_CTX *ctx)
void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
{
- void *p;
-
ctx = ossl_lib_ctx_get_concrete(ctx);
if (ctx == NULL)
return NULL;
@@ -621,36 +606,6 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
return ctx->threads;
#endif
- case OSSL_LIB_CTX_RAND_CRNGT_INDEX: {
-
- /*
- * rand_crngt must be lazily initialized because it calls into
- * libctx, so must not be called from context_init, else a deadlock
- * will occur.
- *
- * We use a separate lock because code called by the instantiation
- * of rand_crngt is liable to try and take the libctx lock.
- */
- if (CRYPTO_THREAD_read_lock(ctx->rand_crngt_lock) != 1)
- return NULL;
-
- if (ctx->rand_crngt == NULL) {
- CRYPTO_THREAD_unlock(ctx->rand_crngt_lock);
-
- if (CRYPTO_THREAD_write_lock(ctx->rand_crngt_lock) != 1)
- return NULL;
-
- if (ctx->rand_crngt == NULL)
- ctx->rand_crngt = ossl_rand_crng_ctx_new(ctx);
- }
-
- p = ctx->rand_crngt;
-
- CRYPTO_THREAD_unlock(ctx->rand_crngt_lock);
-
- return p;
- }
-
#ifdef FIPS_MODULE
case OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX:
return ctx->thread_event_handler;
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index b117a67f91..9e147f27bb 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -696,6 +696,33 @@ static EVP_RAND_CTX *rand_new_drbg(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent,
return ctx;
}
+#ifdef FIPS_MODULE
+static EVP_RAND_CTX *rand_new_crngt(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent)
+{
+ EVP_RAND *rand;
+ EVP_RAND_CTX *ctx;
+
+ rand = EVP_RAND_fetch(libctx, "CRNG-TEST", "fips=no");
+ if (rand == NULL) {
+ ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_FETCH_DRBG);
+ return NULL;
+ }
+ ctx = EVP_RAND_CTX_new(rand, parent);
+ EVP_RAND_free(rand);
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_CREATE_DRBG);
+ return NULL;
+ }
+
+ if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0, NULL)) {
+ ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INSTANTIATING_DRBG);
+ EVP_RAND_CTX_free(ctx);
+ return NULL;
+ }
+ return ctx;
+}
+#endif
+
/*
* Get the primary random generator.
* Returns pointer to its EVP_RAND_CTX on success, NULL on failure.
@@ -727,21 +754,23 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
return ret;
}
-#ifndef FIPS_MODULE
+#ifdef FIPS_MODULE
+ ret = rand_new_crngt(ctx, dgbl->seed);
+#else
if (dgbl->seed == NULL) {
ERR_set_mark();
dgbl->seed = rand_new_seed(ctx);
ERR_pop_to_mark();
}
+ ret = rand_new_drbg(ctx, dgbl->seed, PRIMARY_RESEED_INTERVAL,
+ PRIMARY_RESEED_TIME_INTERVAL, 1);
#endif
- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
- PRIMARY_RESEED_INTERVAL,
- PRIMARY_RESEED_TIME_INTERVAL, 1);
/*
- * The primary DRBG may be shared between multiple threads so we must
- * enable locking.
- */
+ * The primary DRBG may be shared between multiple threads so we must
+ * enable locking.
+ */
+ dgbl->primary = ret;
if (ret != NULL && !EVP_RAND_enable_locking(ret)) {
ERR_raise(ERR_LIB_EVP, EVP_R_UNABLE_TO_ENABLE_LOCKING);
EVP_RAND_CTX_free(ret);
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
index 6b90b729e3..3227f9fcf9 100644
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -100,7 +100,7 @@ typedef struct ossl_ex_data_global_st {
# define OSSL_LIB_CTX_NAMEMAP_INDEX 4
# define OSSL_LIB_CTX_DRBG_INDEX 5
# define OSSL_LIB_CTX_DRBG_NONCE_INDEX 6
-# define OSSL_LIB_CTX_RAND_CRNGT_INDEX 7
+/* slot 7 unused, was CRNG test data and can be reused */
# ifdef FIPS_MODULE
# define OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX 8
# endif
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index c446367dea..561f7123ad 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -386,6 +386,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
};
static const OSSL_ALGORITHM fips_rands[] = {
+ { PROV_NAMES_CRNG_TEST, FIPS_UNAPPROVED_PROPERTIES, ossl_crng_test_functions },
{ PROV_NAMES_CTR_DRBG, FIPS_DEFAULT_PROPERTIES, ossl_drbg_ctr_functions },
{ PROV_NAMES_HASH_DRBG, FIPS_DEFAULT_PROPERTIES, ossl_drbg_hash_functions },
{ PROV_NAMES_HMAC_DRBG, FIPS_DEFAULT_PROPERTIES, ossl_drbg_ossl_hmac_functions },
diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h
index 66f42e0a14..5b91905657 100644
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -296,6 +296,7 @@ extern const OSSL_DISPATCH ossl_kdf_argon2id_functions[];
extern const OSSL_DISPATCH ossl_test_rng_functions[];
extern const OSSL_DISPATCH ossl_seed_src_functions[];
extern const OSSL_DISPATCH ossl_jitter_functions[];
+extern const OSSL_DISPATCH ossl_crng_test_functions[];
extern const OSSL_DISPATCH ossl_drbg_hash_functions[];
extern const OSSL_DISPATCH ossl_drbg_ossl_hmac_functions[];
extern const OSSL_DISPATCH ossl_drbg_ctr_functions[];
diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h
index 05df498d0e..d422dbac29 100644
--- a/providers/implementations/include/prov/names.h
+++ b/providers/implementations/include/prov/names.h
@@ -306,6 +306,7 @@
* RANDs
* -----
*/
+#define PROV_NAMES_CRNG_TEST "CRNG-TEST"
#define PROV_NAMES_CTR_DRBG "CTR-DRBG"
#define PROV_NAMES_HASH_DRBG "HASH-DRBG"
#define PROV_NAMES_HMAC_DRBG "HMAC-DRBG"
diff --git a/providers/implementations/rands/build.info b/providers/implementations/rands/build.info
index 70f8454193..8e0894faa6 100644
--- a/providers/implementations/rands/build.info
+++ b/providers/implementations/rands/build.info
@@ -2,5 +2,6 @@ SUBDIRS=seeding
$RANDS_GOAL=../../libdefault.a ../../libfips.a
-SOURCE[$RANDS_GOAL]=drbg.c test_rng.c drbg_ctr.c drbg_hash.c drbg_hmac.c crngt.c
+SOURCE[$RANDS_GOAL]=drbg.c test_rng.c drbg_ctr.c drbg_hash.c drbg_hmac.c
SOURCE[../../libdefault.a]=seed_src.c seed_src_jitter.c
+SOURCE[../../libfips.a]=fips_crng_test.c
diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c
deleted file mode 100644
index fa4a2db14a..0000000000
--- a/providers/implementations/rands/crngt.c
+++ /dev/null
@@ -1,192 +0,0 @@
-/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
- */
-
-#include <string.h>
-#include <openssl/evp.h>
-#include <openssl/core_dispatch.h>
-#include <openssl/params.h>
-#include <openssl/self_test.h>
-#include "prov/providercommon.h"
-#include "prov/provider_ctx.h"
-#include "internal/cryptlib.h"
-#include "crypto/rand_pool.h"
-#include "drbg_local.h"
-#include "prov/seeding.h"
-#include "crypto/context.h"
-
-typedef struct crng_test_global_st {
- unsigned char crngt_prev[EVP_MAX_MD_SIZE];
- EVP_MD *md;
- int preloaded;
- CRYPTO_RWLOCK *lock;
-} CRNG_TEST_GLOBAL;
-
-static int crngt_get_entropy(PROV_CTX *provctx, const EVP_MD *digest,
- unsigned char *buf, unsigned char *md,
- unsigned int *md_size)
-{
- int r;
- size_t n;
- unsigned char *p;
-
- n = ossl_prov_get_entropy(provctx, &p, 0, CRNGT_BUFSIZ, CRNGT_BUFSIZ);
- if (n == CRNGT_BUFSIZ) {
- r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, digest, NULL);
- if (r != 0)
- memcpy(buf, p, CRNGT_BUFSIZ);
- ossl_prov_cleanup_entropy(provctx, p, n);
- return r != 0;
- }
- if (n != 0)
- ossl_prov_cleanup_entropy(provctx, p, n);
- return 0;
-}
-
-void ossl_rand_crng_ctx_free(void *vcrngt_glob)
-{
- CRNG_TEST_GLOBAL *crngt_glob = vcrngt_glob;
-
- CRYPTO_THREAD_lock_free(crngt_glob->lock);
- EVP_MD_free(crngt_glob->md);
- OPENSSL_free(crngt_glob);
-}
-
-void *ossl_rand_crng_ctx_new(OSSL_LIB_CTX *ctx)
-{
- CRNG_TEST_GLOBAL *crngt_glob = OPENSSL_zalloc(sizeof(*crngt_glob));
-
- if (crngt_glob == NULL)
- return NULL;
-
- if ((crngt_glob->md = EVP_MD_fetch(ctx, "SHA256", "")) == NULL) {
- OPENSSL_free(crngt_glob);
- return NULL;
- }
-
- if ((crngt_glob->lock = CRYPTO_THREAD_lock_new()) == NULL) {
- EVP_MD_free(crngt_glob->md);
- OPENSSL_free(crngt_glob);
- return NULL;
- }
-
- return crngt_glob;
-}
-
-static int prov_crngt_compare_previous(const unsigned char *prev,
- const unsigned char *cur,
- size_t sz)
-{
- const int res = memcmp(prev, cur, sz) != 0;
-
- if (!res)
- ossl_set_error_state(OSSL_SELF_TEST_TYPE_CRNG);
- return res;
-}
-
-size_t ossl_crngt_get_entropy(PROV_DRBG *drbg,
- unsigned char **pout,
- int entropy, size_t min_len, size_t max_len,
- int prediction_resistance)
-{
- unsigned char md[EVP_MAX_MD_SIZE];
- unsigned char buf[CRNGT_BUFSIZ];
- unsigned char *ent, *entp, *entbuf;
- unsigned int sz;
- size_t bytes_needed;
- size_t r = 0, s, t;
- int crng_test_pass = 1;
- OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx);
- CRNG_TEST_GLOBAL *crngt_glob
- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_RAND_CRNGT_INDEX);
- OSSL_CALLBACK *stcb = NULL;
- void *stcbarg = NULL;
- OSSL_SELF_TEST *st = NULL;
-
- if (crngt_glob == NULL)
- return 0;
-
- if (!CRYPTO_THREAD_write_lock(crngt_glob->lock))
- return 0;
-
- if (!crngt_glob->preloaded) {
- if (!crngt_get_entropy(drbg->provctx, crngt_glob->md, buf,
- crngt_glob->crngt_prev, NULL)) {
- OPENSSL_cleanse(buf, sizeof(buf));
- goto unlock_return;
- }
- crngt_glob->preloaded = 1;
- }
-
- /*
- * Calculate how many bytes of seed material we require, rounded up
- * to the nearest byte. If the entropy is of less than full quality,
- * the amount required should be scaled up appropriately here.
- */
- bytes_needed = (entropy + 7) / 8;
- if (bytes_needed < min_len)
- bytes_needed = min_len;
- if (bytes_needed > max_len)
- goto unlock_return;
- entp = ent = OPENSSL_secure_malloc(bytes_needed);
- if (ent == NULL)
- goto unlock_return;
-
- OSSL_SELF_TEST_get_callback(libctx, &stcb, &stcbarg);
- if (stcb != NULL) {
- st = OSSL_SELF_TEST_new(stcb, stcbarg);
- if (st == NULL)
- goto err;
- OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_CRNG,
- OSSL_SELF_TEST_DESC_RNG);
- }
-
- for (t = bytes_needed; t > 0;) {
- /* Care needs to be taken to avoid overrunning the buffer */
- s = t >= CRNGT_BUFSIZ ? CRNGT_BUFSIZ : t;
- entbuf = t >= CRNGT_BUFSIZ ? entp : buf;
- if (!crngt_get_entropy(drbg->provctx, crngt_glob->md, entbuf, md, &sz))
- goto err;
- if (t < CRNGT_BUFSIZ)
- memcpy(entp, buf, t);
- /* Force a failure here if the callback returns 1 */
- if (OSSL_SELF_TEST_oncorrupt_byte(st, md))
- memcpy(md, crngt_glob->crngt_prev, sz);
- if (!prov_crngt_compare_previous(crngt_glob->crngt_prev, md, sz)) {
- crng_test_pass = 0;
- goto err;
- }
- /* Update for next block */
- memcpy(crngt_glob->crngt_prev, md, sz);
- entp += s;
- t -= s;
- }
- r = bytes_needed;
- *pout = ent;
- ent = NULL;
-
- err:
- OSSL_SELF_TEST_onend(st, crng_test_pass);
- OSSL_SELF_TEST_free(st);
- OPENSSL_secure_clear_free(ent, bytes_needed);
-
- unlock_return:
- CRYPTO_THREAD_unlock(crngt_glob->lock);
- return r;
-}
-
-void ossl_crngt_cleanup_entropy(ossl_unused PROV_DRBG *drbg,
- unsigned char *out, size_t outlen)
-{
- OPENSSL_secure_clear_free(out, outlen);
-}
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index 255bf9b507..f9aa5e2fae 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -197,18 +197,12 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
unsigned int p_str;
if (drbg->parent == NULL)
-#ifdef FIPS_MODULE
- return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
- prediction_resistance);
-#else
/*
* In normal use (i.e. OpenSSL's own uses), this is never called.
- * Outside of the FIPS provider, OpenSSL sets its DRBGs up so that
- * they always have a parent. This remains purely for legacy reasons.
+ * This remains purely for legacy reasons.
*/
return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
max_len);
-#endif
if (drbg->parent_get_seed == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED);
@@ -251,11 +245,7 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
{
if (drbg->parent == NULL) {
-#ifdef FIPS_MODULE
- ossl_crngt_cleanup_entropy(drbg, out, outlen);
-#else
ossl_prov_cleanup_entropy(drbg->provctx, out, outlen);
-#endif
} else if (drbg->parent_clear_seed != NULL) {
if (!ossl_drbg_lock_parent(drbg))
return;
diff --git a/providers/implementations/rands/fips_crng_test.c b/providers/implementations/rands/fips_crng_test.c
new file mode 100644
index 0000000000..057ae6e35e
--- /dev/null
+++ b/providers/implementations/rands/fips_crng_test.c
@@ -0,0 +1,434 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Implementation of SP 800-90B section 4.4 Approved Continuous Health Tests.
+ */
+
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/params.h>
+#include <openssl/self_test.h>
+#include <openssl/proverr.h>
+#include "prov/providercommon.h"
+#include "prov/provider_ctx.h"
+#include "prov/implementations.h"
+#include "internal/cryptlib.h"
+#include "crypto/rand_pool.h"
+#include "drbg_local.h"
+#include "prov/seeding.h"
+#include "crypto/context.h"
+
+static OSSL_FUNC_rand_newctx_fn crng_test_new;
+static OSSL_FUNC_rand_freectx_fn crng_test_free;
+static OSSL_FUNC_rand_instantiate_fn crng_test_instantiate;
+static OSSL_FUNC_rand_uninstantiate_fn crng_test_uninstantiate;
+static OSSL_FUNC_rand_generate_fn crng_test_generate;
+static OSSL_FUNC_rand_reseed_fn crng_test_reseed;
+static OSSL_FUNC_rand_gettable_ctx_params_fn crng_test_gettable_ctx_params;
+static OSSL_FUNC_rand_get_ctx_params_fn crng_test_get_ctx_params;
+static OSSL_FUNC_rand_verify_zeroization_fn crng_test_verify_zeroization;
+static OSSL_FUNC_rand_enable_locking_fn crng_test_enable_locking;
+static OSSL_FUNC_rand_lock_fn crng_test_lock;
+static OSSL_FUNC_rand_unlock_fn crng_test_unlock;
+static OSSL_FUNC_rand_get_seed_fn crng_test_get_seed;
+static OSSL_FUNC_rand_clear_seed_fn crng_test_clear_seed;
+
+#ifndef ENTROPY_H
+# define ENTROPY_H 6 /* default to six bits per byte of entropy */
+#endif
+#ifndef ENTROPY_APT_W
+# define ENTROPY_APT_W 512
+#endif
+
+typedef struct crng_testal_st {
+ void *provctx;
+ CRYPTO_RWLOCK *lock;
+ int state;
+
+ /* State for SP 800-90B 4.4.1 Repetition Count Test */
+ struct {
+ unsigned int b;
+ uint8_t a;
+ } rct;
+
+ /* State for SP 800-90B 4.4.2 Adaptive Proportion Test */
+ struct {
+ unsigned int b;
+ unsigned int i;
+ uint8_t a;
+ } apt;
+
+ /* Parent PROV_RAND and its dispatch table functions */
+ void *parent;
+ OSSL_FUNC_rand_enable_locking_fn *parent_enable_locking;
+ OSSL_FUNC_rand_lock_fn *parent_lock;
+ OSSL_FUNC_rand_unlock_fn *parent_unlock;
+ OSSL_FUNC_rand_get_ctx_params_fn *parent_get_ctx_params;
+ OSSL_FUNC_rand_gettable_ctx_params_fn *parent_gettable_ctx_params;
+ OSSL_FUNC_rand_get_seed_fn *parent_get_seed;
+ OSSL_FUNC_rand_clear_seed_fn *parent_clear_seed;
+} CRNG_TEST;
+
+/*
+ * Some helper functions
+ */
+static int lock_parent(CRNG_TEST *crngt)
+{
+ void *parent = crngt->parent;
+
+ if (parent != NULL
+ && crngt->parent_lock != NULL
+ && !crngt->parent_lock(parent)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
+ return 0;
+ }
+ return 1;
+}
+
+static void unlock_parent(CRNG_TEST *crngt)
+{
+ void *parent = crngt->parent;
+
+ if (parent != NULL && crngt->parent_unlock != NULL)
+ crngt->parent_unlock(parent);
+}
+
+/*
+ * Implementation of SP 800-90B section 4.4.1: Repetition Count Test
+ */
+static int RCT_test(CRNG_TEST *crngt, uint8_t next)
+{
+ /*
+ * Critical values for this test are computed using:
+ *
+ * C = 1 + \left\lceil\frac{-log_2 \alpha}H\right\rceil
+ *
+ * where alpha = 2^-20 and H is the expected entropy per sample.
+ */
+ static const unsigned int rct_c[9] = {
+ 41, /* H = 0.5 */
+ 21, 11, 8, 6, 5, 5, 4, 4 /* H = 1, ..., 8 */
+ };
+
+ if (ossl_likely(crngt->rct.b != 0)
+ && ossl_unlikely(next == crngt->rct.a))
+ return ossl_likely(++crngt->rct.b < rct_c[ENTROPY_H]);
+ crngt->rct.a = next;
+ crngt->rct.b = 1;
+ return 1;
+}
+
+/*
+ * Implementation of SP 800-90B section 4.4.2: Adaptive Proportion Test
+ */
+static int APT_test(CRNG_TEST *crngt, uint8_t next)
+{
+ /*
+ * Critical values for this test are drawn from a binomial
+ * distribution with n = 512, p = 2^-H at a critical threshold of
+ * 2^-20. H being the expected entropy per sample. Refer SP 800-90B
+ * section 4.4.2, table 2.
+ */
+ static const unsigned int apt_c[9] = {
+ 410, /* H = 0.5 */
+ 311, 177, 103, 62, 39, 25, 18, 13 /* H = 1, ..., 8 */
+ };
+
+ if (ossl_likely(crngt->apt.b != 0)) {
+ if (ossl_unlikely(crngt->apt.a == next)
+ && ossl_unlikely(++crngt->apt.b >= apt_c[ENTROPY_H])) {
+ crngt->apt.b = 0;
+ return 0;
+ }
+ if (ossl_unlikely(++crngt->apt.i >= ENTROPY_APT_W))
+ crngt->apt.b = 0;
+ return 1;
+ }
+ crngt->apt.a = next;
+ crngt->apt.b = 1;
+ crngt->apt.i = 1;
+ return 1;
+}
+
+static int crng_test(CRNG_TEST *crngt, const unsigned char *buf, size_t n)
+{
+ size_t i;
+
+ for (i = 0; i < n; i++)
+ if (!RCT_test(crngt, buf[i]) || !APT_test(crngt, buf[i])) {
+ crngt->state = EVP_RAND_STATE_ERROR;
+ ERR_raise(ERR_LIB_PROV,
+ PROV_R_ENTROPY_SOURCE_FAILED_CONTINUOUS_TESTS);
+ return 0;
+ }
+ return 1;
+}
+
+static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
+ int function)
+{
+ if (dispatch != NULL)
+ while (dispatch->function_id != 0) {
+ if (dispatch->function_id == function)
+ return dispatch;
+ dispatch++;
+ }
+ return NULL;
+}
+
+static void *crng_test_new(void *provctx, void *parent,
+ const OSSL_DISPATCH *p_dispatch)
+{
+ CRNG_TEST *crngt = OPENSSL_zalloc(sizeof(*crngt));
+ const OSSL_DISPATCH *pfunc;
+
+ if (crngt == NULL)
+ return NULL;
+
+ crngt->provctx = provctx;
+ crngt->state = EVP_RAND_STATE_UNINITIALISED;
+
+ /* Extract parent's functions */
+ if (parent != NULL) {
+ crngt->parent = parent;
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)
+ crngt->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)
+ crngt->parent_lock = OSSL_FUNC_rand_lock(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)
+ crngt->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS)) != NULL)
+ crngt->parent_gettable_ctx_params = OSSL_FUNC_rand_gettable_ctx_params(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)
+ crngt->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL)
+ crngt->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL)
+ crngt->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc);
+ }
+
+ return crngt;
+}
+
+static void crng_test_free(void *vcrngt)
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+ if (crngt != NULL) {
+ CRYPTO_THREAD_lock_free(crngt->lock);
+ OPENSSL_free(crngt);
+ }
+}
+
+static int crng_test_instantiate(void *vcrngt, unsigned int strength,
+ int prediction_resistance,
+ const unsigned char *pstr,
+ size_t pstr_len,
+ ossl_unused const OSSL_PARAM params[])
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+ /* Start up health tests should go here */
+ crngt->state = EVP_RAND_STATE_READY;
+ return 1;
+}
+
+static int crng_test_uninstantiate(void *vcrngt)
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+ crngt->state = EVP_RAND_STATE_UNINITIALISED;
+ return 1;
+}
+
+static int crng_test_generate(void *vcrngt, unsigned char *out, size_t outlen,
+ unsigned int strength, int prediction_resistance,
+ const unsigned char *adin, size_t adin_len)
+{
+ unsigned char *p;
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+ if (!crng_test_get_seed(crngt, &p, 0, outlen, outlen, prediction_resistance,
+ adin, adin_len))
+ return 0;
+ memcpy(out, p, outlen);
+ crng_test_clear_seed(crngt, p, outlen);
+ return 1;
+}
+
+static int crng_test_reseed(ossl_unused void *vcrngt,
+ ossl_unused int prediction_resistance,
+ ossl_unused const unsigned char *ent,
+ ossl_unused size_t ent_len,
+ ossl_unused const unsigned char *adin,
+ ossl_unused size_t adin_len)
+{
+ return 1;
+}
+
+static int crng_test_verify_zeroization(ossl_unused void *vcrngt)
+{
+ return 1;
+}
+
+static size_t crng_test_get_seed(void *vcrngt, unsigned char **pout,
+ int entropy, size_t min_len,
+ size_t max_len,
+ int prediction_resistance,
+ const unsigned char *adin,
+ size_t adin_len)
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+ size_t n;
+ int r = 0;
+
+ /* Without a parent, we rely on the up calls */
+ if (crngt->parent == NULL
+ || crngt->parent_get_seed == NULL) {
+ n = ossl_prov_get_entropy(crngt->provctx, pout, entropy,
+ min_len, max_len);
+ if (n == 0)
+ return 0;
+ r = crng_test(crngt, *pout, n);
+ return r > 0 ? n : 0;
+ }
+
+ /* Grab seed from our parent */
+ if (!crng_test_lock(crngt))
+ return 0;
+ if (!lock_parent(crngt)) {
+ crng_test_unlock(crngt);
+ return 0;
+ }
+ n = crngt->parent_get_seed(crngt->parent, pout, entropy,
+ min_len, max_len, prediction_resistance,
+ adin, adin_len);
+ unlock_parent(crngt);
+ if (n > 0)
+ r = crng_test(crngt, *pout, n);
+ crng_test_unlock(crngt);
+ if (n > 0 && r > 0)
+ return n;
+ if (crngt->parent_clear_seed != NULL)
+ crngt->parent_clear_seed(crngt->parent, *pout, n);
+ return 0;
+}
+
+static void crng_test_clear_seed(void *vcrngt,
+ unsigned char *out, size_t outlen)
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+ if (crngt->parent == NULL || crngt->parent_get_seed == NULL)
+ ossl_prov_cleanup_entropy(crngt->provctx, out, outlen);
+ else if (crngt->parent_clear_seed != NULL)
+ crngt->parent_clear_seed(crngt->parent, out, outlen);
+}
+
+static int crng_test_enable_locking(void *vcrngt)
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+ if (crngt != NULL && crngt->lock == NULL) {
+ if (crngt->parent_enable_locking != NULL)
+ if (!crngt->parent_enable_locking(crngt->parent)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
+ return 0;
+ }
+ crngt->lock = CRYPTO_THREAD_lock_new();
+ if (crngt->lock == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+static int crng_test_lock(ossl_unused void *vcrngt)
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+ return crngt->lock == NULL || CRYPTO_THREAD_write_lock(crngt->lock);
+}
+
+static void crng_test_unlock(ossl_unused void *vcrngt)
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+ if (crngt->lock != NULL)
+ CRYPTO_THREAD_unlock(crngt->lock);
+}
+
+static int crng_test_get_ctx_params(void *vcrngt, OSSL_PARAM params[])
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+ OSSL_PARAM *p;
+
+ if (crngt->parent != NULL && crngt->parent_get_ctx_params != NULL)
+ return crngt->parent_get_ctx_params(crngt->parent, params);
+
+ /* No parent means we are using call backs for entropy */
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
+ if (p != NULL && !OSSL_PARAM_set_int(p, crngt->state))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
+ if (p != NULL && !OSSL_PARAM_set_int(p, 1024))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, 128))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR);
+ if (p != NULL && !OSSL_PARAM_set_int(p, 0))
+ return 0;
+ return 1;
+}
+
+static const OSSL_PARAM *crng_test_gettable_ctx_params(void *vcrngt,
+ void *provctx)
+{
+ CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL),
+ OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL),
+ OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL),
+ OSSL_PARAM_int(OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR, NULL),
+ OSSL_PARAM_END
+ };
+
+ if (crngt->parent != NULL && crngt->parent_gettable_ctx_params != NULL)
+ return crngt->parent_gettable_ctx_params(crngt->parent, provctx);
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_crng_test_functions[] = {
+ { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))crng_test_new },
+ { OSSL_FUNC_RAND_FREECTX, (void(*)(void))crng_test_free },
+ { OSSL_FUNC_RAND_INSTANTIATE,
+ (void(*)(void))crng_test_instantiate },
+ { OSSL_FUNC_RAND_UNINSTANTIATE,
+ (void(*)(void))crng_test_uninstantiate },
+ { OSSL_FUNC_RAND_GENERATE, (void(*)(void))crng_test_generate },
+ { OSSL_FUNC_RAND_RESEED, (void(*)(void))crng_test_reseed },
+ { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))crng_test_enable_locking },
+ { OSSL_FUNC_RAND_LOCK, (void(*)(void))crng_test_lock },
+ { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))crng_test_unlock },
+ { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
+ (void(*)(void))crng_test_gettable_ctx_params },
+ { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))crng_test_get_ctx_params },
+ { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
+ (void(*)(void))crng_test_verify_zeroization },
+ { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))crng_test_get_seed },
+ { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))crng_test_clear_seed },
+ OSSL_DISPATCH_END
+};